ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts. The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and in made part of the ISO 27000 series in 2000. Part two, titled “Information Security Management Systems – Specification with Guidance for Use” became ISO 27001 and dealt with the implementation of an information security management system. The third part was not incorporated into the ISO 27000 series. Similar to ISO’s 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a certain level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS). This document will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS. An overview of what the series deals with can be found in the table below.

ISO 27000 Series

ISO27001

ISMS Requirements

ISO27002

ISMS controls

ISO27003

ISMS implementation guidelines

ISO27004

ISMS Measurements

ISO27005

Risk management

ISO27006

Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard. ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001. ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design. ISO 27004 outlines how an organization can monitor and measure security in relation to the ISO 27000 standards with metrics. ISO 27005 defines the high level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (http://www.27000.org). The standard can be broken down into the following sections:

Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.

Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document there are specifications to which a company’s ISMS can be submitted for potential certification. The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001. Once this organization determines that the company has met the requirements of ISO 27001, the certification is granted. Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the company is in compliance with the requirements of this well-recognized standard. It also gives employees and clients more assurance that their data is safe with the company. In some cases, companies may require ISO certification in order to do business. The ISO 27000 standard contains many useful recommendations and companies are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified. The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.

Summary

ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security. Similar to the ISO 9000 quality standard, ISO 27000 is optional but it may soon be a business requirement.